Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

'Here You Have' Worm Floods E-Mail Inboxes

A mass mailer worm that struck NASA, Walt Disney Co. and other organizations is a throwback to the days of old, security researchers said. Here is what you need to know about it.

A mass-mailer worm flooded inboxes at a number of high-profile organizations today.

Dubbed "Here you have" because of its e-mail subject line, the worm struck organizations such as NASA and the Walt Disney Co. In some ways, the worm is a throwback to attacks such as the Anna Kournikova virus, which security researchers at Symantec noted actually had the same subject line when it appeared in 2001.

"This used to be a massive problem when e-mail worms were at their peak, and this re-emergence shows that you can never assume old tried and true methods won't be used again," said Bradley Anstis, vice president of technology strategy at M86 Security.

The body of the e-mail sometimes contained the message "This is The Document I told you about, you can find it Here," followed by a malicious link that appears to be a PDF document but is actually a .SCR file. The e-mail then instructs the recipient to "please check it and reply as soon as possible." Other versions of the worm have the subject "Just For you" and "This is The Free Dowload [sic] Sex Movies,you can find it Here" in the body.

Further reading

According to a report by ABC News, the worm wiggled its way into a number of organizations, including the Florida Department of Transportation and Wells Fargo. Once on a PC, the malware attempts to disable security software and propagate, blasting itself out to e-mail contacts in the victim's address book. As a result, an organization's e-mail infrastructure can be overloaded, researchers at McAfee warned.

"Most e-mail systems will block e-mails with executable files and scripts attached to them by default," Sam Masiello, director of messaging security research at McAfee, told eWEEK. "This attack went around such defenses by instead containing a link to a Website which was hosting the malicious screen saver file. The Website that was hosting the malicious file is a legitimate Web host in the UK that is owned by Lycos, so the entire Website could not be blocked proactively."

In addition to e-mail, the worm attempts to spread through mapped drives, accessible remote machines and removable media with AutoRun enabled, Masiello added.

"The addresses that the worm will attempt to replicate through via e-mail are being harvested from the infected user's address book," he said. "Although we aren't sure exactly how many messages have been sent out from infected machines, we do believe at this time that the e-mail propagation vector has been crippled because the site that was hosting the malicious file has been removed. It is very possible that new variants may emerge, so we can't consider ourselves to be out of the woods. Machines that are already infected may still attempt to propagate through e-mail and available network shares and removable media."

It is very difficult for users to work out what is dangerous and what is not, and the bulk of spam should be stopped at the e-mail gateway, Anstis said.

"Why does the average user need to get file types other than the typical document types ... this recent case uses a .SCR file. E-mail administrators should be limiting file type distribution as much as possible," he said.

Security pros advised users to be wary of unsolicited e-mails with suspicious links.

"Mass-mailers went out of style simply because this MO [modus operandi] would not work for cyber-criminals, especially if they want to remain hidden below the radar when they are conducting their nefarious activities like information-stealing or spamming campaigns," said Ivan Macalintal, senior threats researcher with Trend Micro. "Mass-mailers create noise, and their malicious creations will soon be found out with [antivirus] and other security products being able to have coverage ASAP.

"If the authors of this attack found this method beneficial for them, they may opt to do this again," he added. "If they have been nipped in the bud, they will regroup and find other opportunities."